# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} {% set saltversion = saltversion.salt.minion.version %} {# this is the list we are returning from this map file, it gets built below #} {% set allowed_states= [] %} {% if grains.saltversion | string == saltversion | string %} {% set allowed_states= salt['grains.filter_by']({ 'so-eval': [ 'salt.master', 'ca', 'ssl', 'registry', 'manager', 'nginx', 'telegraf', 'influxdb', 'soc', 'kratos', 'elasticfleet', 'elastic-fleet-package-registry', 'firewall', 'idstools', 'suricata.manager', 'healthcheck', 'pcap', 'suricata', 'utility', 'schedule', 'tcpreplay', 'docker_clean' ], 'so-heavynode': [ 'ssl', 'nginx', 'telegraf', 'firewall', 'pcap', 'suricata', 'healthcheck', 'elasticagent', 'schedule', 'tcpreplay', 'docker_clean' ], 'so-idh': [ 'ssl', 'telegraf', 'firewall', 'idh', 'schedule', 'docker_clean' ], 'so-import': [ 'salt.master', 'ca', 'ssl', 'registry', 'manager', 'nginx', 'strelka.manager', 'soc', 'kratos', 'influxdb', 'telegraf', 'firewall', 'idstools', 'suricata.manager', 'pcap', 'utility', 'suricata', 'zeek', 'schedule', 'tcpreplay', 'docker_clean', 'elasticfleet', 'elastic-fleet-package-registry' ], 'so-manager': [ 'salt.master', 'ca', 'ssl', 'registry', 'manager', 'nginx', 'telegraf', 'influxdb', 'strelka.manager', 'soc', 'kratos', 'elasticfleet', 'elastic-fleet-package-registry', 'firewall', 'idstools', 'suricata.manager', 'utility', 'schedule', 'docker_clean', 'stig', 'kafka' ], 'so-managersearch': [ 'salt.master', 'ca', 'ssl', 'registry', 'nginx', 'telegraf', 'influxdb', 'strelka.manager', 'soc', 'kratos', 'elastic-fleet-package-registry', 'elasticfleet', 'firewall', 'manager', 'idstools', 'suricata.manager', 'utility', 'schedule', 'docker_clean', 'stig', 'kafka' ], 'so-searchnode': [ 'ssl', 'nginx', 'telegraf', 'firewall', 'schedule', 'docker_clean', 'stig' ], 'so-standalone': [ 'salt.master', 'ca', 'ssl', 'registry', 'manager', 'nginx', 'telegraf', 'influxdb', 'soc', 'kratos', 'elastic-fleet-package-registry', 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', 'pcap', 'suricata', 'healthcheck', 'utility', 'schedule', 'tcpreplay', 'docker_clean', 'stig', 'kafka' ], 'so-sensor': [ 'ssl', 'telegraf', 'firewall', 'nginx', 'pcap', 'suricata', 'healthcheck', 'schedule', 'tcpreplay', 'docker_clean', 'stig' ], 'so-fleet': [ 'ssl', 'telegraf', 'firewall', 'logstash', 'nginx', 'healthcheck', 'schedule', 'elasticfleet', 'docker_clean' ], 'so-receiver': [ 'ssl', 'telegraf', 'firewall', 'schedule', 'docker_clean', 'kafka', 'elasticsearch.ca', 'stig' ], 'so-desktop': [ 'ssl', 'docker_clean', 'telegraf' ], }, grain='role') %} {%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} {% do allowed_states.append('zeek') %} {%- endif %} {% if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} {% do allowed_states.append('strelka') %} {% endif %} {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('elasticsearch') %} {% endif %} {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} {% do allowed_states.append('elasticsearch.auth') %} {% endif %} {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} {% do allowed_states.append('kibana') %} {% do allowed_states.append('kibana.secrets') %} {% endif %} {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} {% do allowed_states.append('elastalert') %} {% endif %} {% if grains.role in ['so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('logstash') %} {% endif %} {% if grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver', 'so-eval'] %} {% do allowed_states.append('redis') %} {% endif %} {# all nodes on the right salt version can run the following states #} {% do allowed_states.append('common') %} {% do allowed_states.append('patch.os.schedule') %} {% do allowed_states.append('motd') %} {% do allowed_states.append('salt.minion-check') %} {% do allowed_states.append('sensoroni') %} {% do allowed_states.append('salt.lasthighstate') %} {% endif %} {% if ISAIRGAP %} {% do allowed_states.append('airgap') %} {% endif %} {# all nodes can always run salt.minion state #} {% do allowed_states.append('salt.minion') %}